I have a GCP bucket, and machines running with ES 7.6.1 in two separate clusters:
- cluster 0, with machines "machine 0"
- cluster 1, with machines "machine 1"
- GCP Bucket
My goal is:
- register a repository with this GCP Bucket on machine 0
- snapshot to this bucket with machine 0
- register a repository with this GCP Bucket on machine 1
- restore from the snapshot created by machine 0
For both machines, I have:
- installed repository-gcs
- added the credentials to ES:
elasticsearch-keystore add-file gcs.client.default.credentials_file <service_account.json>
-
POST localhost:9200/_nodes/reload_secure_settings
to reset the secure settings. - Restart ES (only necessary on older versions of ES, but I tried it anyway)
From there I am able to:
- Register a repository with this GCP Bucket on machine 0
- Snapshot to the bucket
- Restore from this snapshot back to machine 0
However, I am not able to register, snapshot, or restore following the exact same steps on machine 1. I have tried at least 10 times on multiple different machines from each cluster and am able to reliably interact only with machines from cluster 0.
For machines from cluster 1, I get this authentication error:
curl -X PUT "localhost:9200/_snapshot/test-backup?pretty" -H 'Content-Type: application/json' -d'
> {
> "type": "gcs",
> "settings": {
> "bucket": "<bucket>",
> "base_path": "backup"
> }
> }
> '
{
"error" : {
"root_cause" : [
{
"type" : "blob_store_exception",
"reason" : "Unable to check if bucket exists"
}
],
"type" : "repository_exception",
"reason" : "[test-backup] cannot create blob store",
"caused_by" : {
"type" : "blob_store_exception",
"reason" : "Unable to check if bucket exists",
"caused_by" : {
"type" : "security_exception",
"reason" : "access denied (\"java.lang.RuntimePermission\" \"accessDeclaredMembers\")"
}
}
},
"status" : 500
}
On machines from cluster 1, I can even access the bucket using gsutil, so I don't believe it's a network configuration issue.
I am completely out of ideas as to why two machines, with the same version of ES, configured the same way with elasticsearcy-keystore
with the same service account would behave differently in this scenario.
Any suggestions would be greatly appreciated.